Guide to Email Security in 2022
EMAIL SECURITY GUIDE FOR MID-SIZE ENTERPRISES
We all know that email is still an indispensable power app used more than just about any other digital tool in business. With such a high dependence on email to run your businesses, maintaining its functionality is critical. But what about its security?
Consider these questions:
Think of email as a portal into your network. Just like a bank robber will always try to break into the bank through physical vulnerabilities, bad actors will attempt to take advantage of weaknesses in your network to gain access to your valuable information.
If you’ve been thinking that you should be taking your email security more seriously — you’re right — and if you don’t, it could cost you. Social engineering attacks like phishing can lead to data breaches, malware attacks, and billions of dollars in losses for businesses worldwide.
Here’s what you need to know to keep your email network secure as part of a comprehensive cybersecurity program, and how Plus+ can help.
In this guide, we'll address the following questions:
Why is Email Security Important?
Safeguarding your email system should be high on the priority list when securing your company’s virtual assets. That’s because over 90% of cyber attacks start with an email breach, making email the number one attack vector that cybercriminals exploit.
The potential of cyber threat through email is driven largely because of the sheer volume of email we get. Email volumes and users continue to grow every year. One estimate pegs the average deluge at about 120 business emails sent and received each day.
What all this means is that its ease and ubiquity has turned email’s defining strengths against us. As we get more and more email, it becomes harder to guard against the threats, especially when most users cannot tell the difference between a valid message and a phishing attempt. Well-intended plans to educate users may lead to false positives and overworked IT teams. It becomes a problem of ‘don’t cry wolf’ – but this time, the wolf is getting bigger and stronger.
And bad actors are taking advantage of this.
In 2019, Microsoft blocked over 13 billion malicious and suspicious mails, out of which more than 1 billion were URLs set up for the explicit purpose of launching a phishing credential attack.
According to a 2021 study, employees receive an average of just over one malicious email per month, with some industries seeing upwards of four times that amount.
While all of your employees are likely using email to conduct business, they may not all be aware of phishing attacks or the risk they pose. According to a 2021 cybersecurity threat trends report, when a phishing link is sent to employees, more than 8 out of 10 organizations had at least one employee click on the malicious link.
Amping up your email security can help to block these emails before they make it into your employee’s inboxes, minimizing the risk of an unintended, but costly click.
In a post-pandemic world, businesses have migrated even further into the virtual world. At the same time, the avenues for cyber threats have expanded and bad actors have more opportunities to find vulnerabilities and break into your data. Even if you have built in safety measures for the transition, cybercriminals are constantly mutating their sophisticated tactics to trick users into breaching data.
The Costs of Cyber Threats to Your Business
What’s the financial risk to your business? Pretty huge. Here’s a rundown of the average costs and efforts to remediate:
A single email breach could lead to several big problems for your organization:
The Top Types of Email Cyber Attacks
Now, let’s take a closer look into the types of threats that your business faces in email. We’ll start with the biggest: phishing and ransomware.
Phishing, Ransomware, and Email
Cybercriminals are increasingly using social engineering tactics to gain access to your company’s private data. Social engineering uses psychology to manipulate your employees into unintentionally breaching data, passwords, or other confidential information.
Spam, phishing, and ransomware are three specific types of social engineering attacks. These types of attacks are becoming more common, as shown in a 2021 survey that revealed over 75% of businesses experienced a phishing or ransomware attack.
Spam takes junk mail to a whole new level. This unsolicited virtual junk is sometimes harmless commercial advertising, but oftentimes it can contain phishing links to malicious ransomware. Spam emails can include fake sweepstakes wins or even claims that your antivirus is out of date. It’s difficult to stop malicious spam because it is commonly sent by botnets of infected computers, this makes identifying the source more challenging.
And spam isn’t the only email enemy. Often, phishing and ransomware go hand-in-hand with spam. In phishing emails, bad actors attempt to impersonate a legitimate business. A bad actor might spoof a trusted brand, like your bank, and try to get you to enter your login credentials.
With ransomware, criminals trick the user into downloading malicious software that encrypts files and leaves the computer nonfunctional until a ransom is paid. With all of these tactics combined, a black hat hacker can create a compelling illusion that puts your company’s cybersecurity at risk.
Types of Phishing Attacks
Spear Phishing
When a phishing attack is targeted toward a specific individual, that’s called spear phishing. These can be especially convincing since they are custom-tailored to the intended victim. Examples can include an email with tracking information from an unfamiliar shipping company for an item that was never ordered.
Business Email Compromise
Business Email Compromise (BEC) is another type of phishing. With this type of email attack, a legitimate company’s credentials for an email account have been compromised and a bad actor is sending unauthorized emails impersonating the account’s user. These can be difficult to identify, but when a regular contact is asking for something that seems strange, pick up the phone and call the company to verify before proceeding with the request.
All of these phishing attack types are common, affecting over 75% of organizations in 2020, and can have serious financial consequences. The best road forward for businesses is a combination of education and prevention. Investing in preventative software tools that quarantine suspicious emails can be the first line of defense against phishing and spam.
How Email Security Works
For the time being, it looks as though neither email nor email attacks will be going away for businesses any time soon; therefore, you must protect your network as well as possible with email security. Your email security system should inspect incoming messages for malicious intent and sift out the flagged messages. At the same time, your system should also protect your data by encrypting your organization’s outgoing messages.
Best practices in email security call for these four preventive elements:
Anti-phishing is the first element that protects your employees’ email accounts and aims at preventing impersonated emails from making it to the inbox.
Next is malware protection which scans attachments for viruses. Third, data loss prevention (DLP) protects against threats inside your own organization including unintentional data loss such as mistakenly sending an attachment to an unintended recipient. DLP solutions can monitor, flag, and block different email actions in an effort to protect your data.
Account takeover (ATO) is a form of online identity theft where a third party illegally accesses a victim’s online account to turn a profit by changing account details, making purchases, and leveraging the stolen information to access other accounts. Bad actors employ a number of strategies to perform an account takeover including phishing, malware and man-in-the-middle attacks.
Email encryption is the fifth element that keeps your data secure. Most companies send out thousands of emails each day, so an email interception by a bad actor is a real threat if your outgoing correspondence is not encrypted. Encryption is a way of coding your email so that it becomes unreadable by unauthorized access.
Often multi-factor authentication is required when a user accesses encrypted email. This adds an extra layer of protection, ensuring the intended recipient is the only one with access.
Is Your Built-in Email Security Sufficient?
Do you know which security features are equipped by default with your email? Because it is so widely used by businesses, Microsoft’s 365 (Outlook) email is a prime target for cybercriminals to exploit.
Recommended by LinkedIn
Making your company’s email accessible from anywhere sounds like a very appealing solution, especially for employees working remotely or traveling. However, it comes with a huge security risk. Authorized workers are not the only ones who will be trying to access those emails if they are sitting out there for hackers to break into. By default, this is one security vulnerability of cloud-based email.
Email in Microsoft 365 comes with only the standard Microsoft Exchange Online Protection and the default security settings may be insufficient for your organization. Out of the box, these settings enable some necessary and best-practice capabilities. However, many organizations may want to augment these standard configurations with additional security controls and procedures.
Companies that use cloud-based email are susceptible to business email compromise (BEC) attacks, where a hacker can pose as the user by gaining unauthorized access to his email. This type of email attack is becoming more common since more companies have moved to cloud-based email. Remote access makes it easier for black hats to hack into your email and convince your colleague to pay an invoice since the email came from a trusted contact. Much simpler than getting someone to fall for a bulk-phishing scam.
The reason that your major cloud-based email provider cannot monitor your account sufficiently enough to identify and prevent BEC attacks is simply the fact that they have too many accounts to monitor for this type of anomaly.
Another reason your cloud-based email may not be secure is the fact that they aren’t taking into account social engineering. Some mal-intended emails don’t contain anything that would flag the algorithm as malicious because they are simply intending to trick the reader into providing information without clicking a link or entering credentials.
Tips to Optimize Email Security
So, we’ve shared the importance of email security and the risks associated with being under prepared for email based cyber attacks. Now, let’s dive into how you can deal with it.
Here are the practices that Plus+ uses to enhance security and mitigate risk contributed by the use of enterprise email systems. Many of these practices focus on the Microsoft 365 suite since it is one of the most popular email and business productivity systems. However, you should be able to apply most of these tips regardless of your email platform.
Protect Against Lost or Stolen Passwords
Most people have hundreds of passwords to remember. That usually means we’re all re-using the same passwords, or variations of them, over and over. If you want your employees to use truly secure passwords, it may be time to invest in a more effective password management program. This can eliminate the temptation for your employees to use easy-to-guess passwords and makes everything more secure since credentials will not be saved in a document or written on paper waiting to be stolen.
Guard Against Malware and Ransomware
Malware consists of viruses, spyware and other malicious software. First, keep computer operating systems up to date as well as all software. Vulnerability patches are built into updates using threat intelligence in order to protect against known ransomware and malware.
As additional protection, Microsoft 365 includes anti-malware mechanisms including:
Microsoft Defender for Office 365 is an email filtering service that provides additional protection against specific types of advanced threats, including malware and viruses.
Microsoft 365 Security Assessment
Develop and maintain a strong security posture with Microsoft 365 Security and industry best practices.
Educate Users
The nature of email requires human judgment when it comes to deciding whether or not an email is legitimate and trustworthy. Train your employees to recognize the signs of cyber threats as well as when and how to report suspicious emails.
If the threats make it past your phishing detector, you’ll need to rely on employees (and maybe supply-chain users such as suppliers and partners) to use good judgment to avoid a click that could cost you millions.
Workforce education in cybersecurity is imperative to make sure that your staff is aware of the real threat of email attacks. This will reduce the chance of your employees unintentionally clicking a malicious link. Encourage your users to report anything remotely suspicious and stay on the safe side.
Verify each area of the email before clicking links. Here are some of red flags to look out for:
Stop Auto-forwarding Email
Make it company policy to disable email auto-forwarding. This is a feature that some use for convenience, such as automatic redirecting of emails to a coworker while on vacation — but it is a security risk. Cybercriminals can use the same auto-forwarding settings to gain access to your inbox and read sensitive emails.
Protect Against Malicious Attachments and Links
Setting up a border control that checks emails with links before they reach your employee’s inboxes is a good first step. These programs look for large file sizes and specific file types and other high-risk signs. These can be set up to auto-quarantine with the option to manually move them to the inbox if a message was mistakenly intercepted.
Increase Protection for Mobile Devices
Don’t forget about mobile device security. If you’re providing your employees access to work email on a cell phone or tablet, you’ll still need to put additional protective measures in place. Especially since these devices can be easily stolen or are easier to get into the hands of the wrong people due to their size and mobility. One program you can use for increased security on these devices is Microsoft Intune, which allows you to control email security settings on mobile devices.
Utilize Penetration Simulations
You can put your workforce training to the test by conducting mock attacks and periodic phishing simulations. A phishing simulation can help identify where more training may be required, or just get your employees some additional practice if they’re already pros at catching suspicious emails. Protect your company’s data and enhance your front lines by running regular mock attacks to test your team’s phish-catching skills.
Plus+ recommends following a real-world simulated attack approach for the best results. This is part of the comprehensive cybersecurity services we offer.
Require Multi-Factor Authentication
Enhance your email security by requiring multi-factor authentication when accessing messages outside of the office or on a new device. This security feature works by requiring that the user has more information than just the username and password, reducing the chances of unauthorized login. Examples include:
Implement DMARC
Domain-based Message Authentication Reporting & Conformance (DMARC) is a security protocol standard that companies adopt to address and prevent spoofing. When your company implements DMARC, you increase your company’s reputation, security, and visibility. In order to qualify, you must establish and make public your email authentication practices, have a policy and plan for failed authentications, and allow reporting.
Consider Advanced Threat Protection
Some enterprises may opt for advanced threat protection solutions that leverage intelligent signals across your data architecture to automate the tasks of identifying, detecting and investigating threats and compromised identities.
Microsoft Defender, for instance, is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
With Microsoft Defender, you can create proactive threat signals to alert teams about the scope of a new threat, including how it entered and what has been affected, so you can have a better assessment of the impact.
How Plus+ Can Help
Email security is an often overlooked, but critical component to keeping your business’s assets protected. Preventing a breach before it happens will save you time, money, and your reputation. Make sure you’re doing it right by trusting the experts at Plus+ with setting up and enhancing your email security.
Our team of experts can help create a comprehensive plan that starts with an assessment of your current needs and gaps, so that we can tailor the right mix of planning, practices, technology and ongoing protections to secure your email environment.
Our highly qualified team can help your business by:
We help mid-size to large organizations across many industries identify their cyber threats and design comprehensive programs to manage, remediate, and control these risks across their organization.
Get the guidance and capabilities you need for peace of mind knowing your sensitive business assets are safeguarded. We can help you navigate the rapidly-evolving cybersecurity landscape and secure your business now and in the future against the constantly changing range of cyber threats.
To get started, speak with one of our cybersecurity advisors today.
Enjoy this article? Get more insights and resources to help you move from aspiration to results in our +Insights Center.